OFBiz › OFBiz - Commits

svn commit: r1858966 - in /ofbiz/ofbiz-framework/branches/release18.12: ./ framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

svn commit: r1858966 - in /ofbiz/ofbiz-framework/branches/release18.12: ./ framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java

Author: jleroux
Date: Thu May 9 06:05:57 2019
New Revision: 1858966

URL: http://svn.apache.org/viewvc?rev=1858966&view=rev
Log:
"Applied fix from trunk for revision: 1858965"
------------------------------------------------------------------------
r1858965 | jleroux | 2019-05-09 08:05:05 +0200 (jeu. 09 mai 2019) | 18 lignes

Fixed: Product content management screen doesn't validate trusted users' input
(OFBIZ-10054)

Steps to recreate:
1) go to (authenticate with admin/ofbiz):
https://localhost:8443/catalog/control/EditProductContent?productId=WG-1111

2) set the content of the field labeled "Large Image" to:
non_existent.foo" onerror="alert('Hi!');

3) visit the url:
https://localhost:8443/ecommerce/control/product?product_id=WG-1111

A popup message will appear with the "Hi!".

jleroux: This is fixed by preventing any js event to be passed

Thanks: Loris Nardo for report, Jacopo and Gregory for discussion
------------------------------------------------------------------------

Modified:
ofbiz/ofbiz-framework/branches/release18.12/ (props changed)
ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java

Propchange: ofbiz/ofbiz-framework/branches/release18.12/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu May 9 06:05:57 2019
@@ -10,4 +10,4 @@
/ofbiz/branches/json-integration-refactoring:1634077-1635900
/ofbiz/branches/multitenant20100310:921280-927264
/ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1849931,1850015,1850023,1850530,1850647,1850685,1850694,1850711,1850914,1850918,1850921,1850948,1850953,1851006,1851013,1851068,1851074,1851130,1851158,1851200,1851224,1851247,1851254,1851315,1851319,1851350,1851353,1851433,1851500,1851805,1851885,1851998,1852503,1852587,1852818,1852882,1853070,1853109,1853691,1853745,1853750,1854306,1854457,1854683,1855078,1855083,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856212,1856405,1856455,1856459-1856460,1856484,1856598,1856610,1856613,1856617,1856667,1857088,1857099,1857152,1857154,1857173,1857180,1857213,1857392,1857617,1857692,1857813,1858035,1858092,1858180,1858250,1858256,1858275,1858319,1858347,1858432,1858444,1858523,1858539
+/ofbiz/ofbiz-framework/trunk:1849931,1850015,1850023,1850530,1850647,1850685,1850694,1850711,1850914,1850918,1850921,1850948,1850953,1851006,1851013,1851068,1851074,1851130,1851158,1851200,1851224,1851247,1851254,1851315,1851319,1851350,1851353,1851433,1851500,1851805,1851885,1851998,1852503,1852587,1852818,1852882,1853070,1853109,1853691,1853745,1853750,1854306,1854457,1854683,1855078,1855083,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856212,1856405,1856455,1856459-1856460,1856484,1856598,1856610,1856613,1856617,1856667,1857088,1857099,1857152,1857154,1857173,1857180,1857213,1857392,1857617,1857692,1857813,1858035,1858092,1858180,1858250,1858256,1858275,1858319,1858347,1858432,1858444,1858523,1858539,1858965

Modified: ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java?rev=1858966&r1=1858965&r2=1858966&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java (original)
+++ ofbiz/ofbiz-framework/branches/release18.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java Thu May 9 06:05:57 2019
@@ -24,6 +24,7 @@ import java.lang.reflect.Method;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
@@ -31,6 +32,7 @@ import java.util.List;
import java.util.Map;
import java.util.Set;

+import org.apache.commons.lang3.StringUtils;
import org.apache.ofbiz.base.html.SanitizerCustomPolicy;
import org.owasp.esapi.codecs.Codec;
import org.owasp.esapi.codecs.HTMLEntityCodec;
@@ -47,6 +49,24 @@ public class UtilCodec {
private static final StringEncoder stringEncoder = new StringEncoder();
private static final UrlCodec urlCodec = new UrlCodec();
private static final List<Codec> codecs;
+ // From https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Event_Handlers
+ private static final List<String> jsEventList = Arrays.asList(new String[] { "onAbort", "onActivate",
+ "onAfterPrint", "onAfterUpdate", "onBeforeActivate", "onBeforeCopy", "onBeforeCut", "onBeforeDeactivate",
+ "onBeforeEditFocus", "onBeforePaste", "onBeforePrint", "onBeforeUnload", "onBeforeUpdate", "onBegin",
+ "onBlur", "onBounce", "onCellChange", "onChange", "onClick", "onContextMenu", "onControlSelect", "onCopy",
+ "onCut", "onDataAvailable", "onDataSetChanged", "onDataSetComplete", "onDblClick", "onDeactivate", "onDrag",
+ "onDragEnd", "onDragLeave", "onDragEnter", "onDragOver", "onDragDrop", "onDragStart", "onDrop", "onEnd",
+ "onError", "onErrorUpdate", "onFilterChange", "onFinish", "onFocus", "onFocusIn", "onFocusOut",
+ "onHashChange", "onHelp", "onInput", "onKeyDown", "onKeyPress", "onKeyUp", "onLayoutComplete", "onLoad",
+ "onLoseCapture", "onMediaComplete", "onMediaError", "onMessage", "onMouseDown", "onMouseEnter",
+ "onMouseLeave", "onMouseMove", "onMouseOut", "onMouseOver", "onMouseUp", "onMouseWheel", "onMove",
+ "onMoveEnd", "onMoveStart", "onOffline", "onOnline", "onOutOfSync", "onPaste", "onPause", "onPopState",
+ "onProgress", "onPropertyChange", "onReadyStateChange", "onRedo", "onRepeat", "onReset", "onResize",
+ "onResizeEnd", "onResizeStart", "onResume", "onReverse", "onRowsEnter", "onRowExit", "onRowDelete",
+ "onRowInserted", "onScroll", "onSeek", "onSelect", "onSelectionChange", "onSelectStart", "onStart",
+ "onStop", "onStorage", "onSyncRestored", "onSubmit", "onTimeError", "onTrackChange", "onUndo", "onUnload",
+ "onURLFlip", "seekSegmentTime" });
+
static {
List<Codec> tmpCodecs = new ArrayList<>();
tmpCodecs.add(new HTMLEntityCodec());
@@ -361,9 +381,22 @@ public class UtilCodec {
if (value.indexOf("<") >= 0 || value.indexOf(">") >= 0) {
errorMessageList.add("In field [" + valueName + "] less-than (<) and greater-than (>) symbols are not allowed.");
}
+
+ // check for js events
+ final String onEvent = "on" + StringUtils.substringBetween(value, " on", "=");
+ final boolean seekSegmentTime = value.contains("seekSegmentTime");
+ if (null != onEvent || seekSegmentTime) {
+ if (jsEventList.stream().anyMatch(str -> StringUtils.containsIgnoreCase(str, onEvent)) || seekSegmentTime) {
+ errorMessageList.add("In field [" + valueName + "] js events are not allowed.");
+ }
+ }

// TODO: anything else to check for that can be used to get HTML or JavaScript going without these characters?
-
+ // Another would be https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#US-ASCII_encoding
+ // But all our Tomcat connectors use UTF-8
+ // We don't care about Flash now rather deprecated
+ // AFAIK all others need less-than (<) and greater-than (>) symbols
+
return value;
}